Predefined roles and permissions

This page provides information on BigQuery's Cloud Identity and Access Management roles and permissions.

This page includes roles and permissions relevant to each of BigQuery's companion products:

  • BigQuery ML
  • BigQuery Data Transfer Service
  • BigQuery BI Engine

For additional information on access controls in BigQuery ML, see Access control in the BigQuery ML documentation.

Overview

When an identity calls a Google Cloud Platform API, Google BigQuery requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

This page describes the BigQuery Cloud IAM roles that you can grant to identities to access BigQuery resources.

Cloud IAM role types

There are three types of roles in Cloud Identity and Access Management:

  • Primitive roles include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud Identity and Access Management.
  • Predefined roles provide granular access for a specific service and are managed by GCP. Predefined roles are meant to support common use cases and access control patterns.
  • Custom roles provide granular access according to a user-specified list of permissions.

To determine if one or more permissions are included in a primitive, predefined, or custom role, you can use one of the following methods:

When you assign both predefined and primitive roles to a user, the permissions granted are a union of each role's permissions.

For additional information on using IAM to access resources, see Granting, changing, and revoking access to resources in the Cloud Identity and Access Management documentation.

For information on creating custom roles, see Creating and managing custom roles in the Cloud Identity and Access Management documentation.

BigQuery permissions and predefined Cloud IAM roles

To grant access to a BigQuery resource, assign one or more roles to a user, group, or service account. When you assign roles at the organization and project level, you provide permission to run BigQuery jobs or to manage all of a project's BigQuery resources.

You can also assign roles at the dataset level to provide access only to one or more datasets. In the IAM policy hierarchy, BigQuery datasets are child resources of projects. Tables and views are child resources of datasets — they inherit permissions from their parent dataset.

For more information on assigning roles at the dataset level, see Controlling access to datasets.

BigQuery permissions

The following table describes the permissions available in BigQuery.

Permission Description
bigquery.jobs.create Create new jobs.
bigquery.jobs.listAll List all jobs and retrieve metadata on any job submitted by any user.*
bigquery.jobs.list List all jobs and retrieve metadata on any job submitted by any user.* For jobs submitted by other users, details and metadata are redacted.
bigquery.jobs.get Get data and metadata on any job.*
bigquery.jobs.update Cancel any job.*
bigquery.datasets.create Create new empty datasets.
bigquery.datasets.delete Delete a dataset.
bigquery.datasets.get Get metadata about a dataset.
bigquery.datasets.update Update metadata for a dataset.
bigquery.tables.create Create new tables.
bigquery.tables.list List tables and metadata on tables.
bigquery.tables.delete Delete tables.
bigquery.tables.get Get table metadata.
To get table data, you need bigquery.tables.getData.
bigquery.tables.getData Get table data.
To get table metadata, you need bigquery.tables.get.
bigquery.tables.export Export table data out of BigQuery.
bigquery.tables.update

Update table metadata.
To update table data, you need bigquery.tables.updateData.

bigquery.tables.updateData

Update table data.
To update table metadata, you need bigquery.tables.update.

bigquery.routines.create (beta) Create new routines (functions and stored procedures).
bigquery.routines.list (beta) List routines and metadata on routines.
bigquery.routines.delete (beta) Delete routines.
bigquery.routines.get (beta) Get routine definitions and metadata.
bigquery.routines.update (beta)

Update routine definitions and metadata.

bigquery.transfers.get Get transfer metadata.
bigquery.transfers.update Create, update, and delete transfers.
bigquery.savedqueries.create Create saved queries.
bigquery.savedqueries.get Get metadata on saved queries.
bigquery.savedqueries.list List saved queries.
bigquery.savedqueries.update Update saved queries.
bigquery.savedqueries.delete Delete saved queries.
bigquery.readsessions.create (beta) Create a new read session via the BigQuery BigQuery Storage API.
bigquery.connections.create (beta) Create new connections in a project.
bigquery.connections.get (beta) Get connection metadata. Credentials are excluded.
bigquery.connections.list (beta) List connections in a project.
bigquery.connections.use (beta) Use a connection configuration to connect to a remote data source.
bigquery.connections.update (beta) Update a connection and its credentials.
bigquery.connections.delete (beta) Delete a connection.

* For any job you create, you automatically have the equivalent of the bigquery.jobs.get and bigquery.jobs.update permissions for that job.

BigQuery predefined Cloud IAM roles

The following table lists the predefined BigQuery IAM roles with a corresponding list of all the permissions each role includes. Note that every permission is applicable to a particular resource type.

BigQuery roles

Role Title Description Permissions Lowest resource
roles/
bigquery.admin
BigQuery Admin Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. bigquery.*
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
bigquery.connectionAdmin
BigQuery Connection Admin Beta bigquery.connections.*
roles/
bigquery.connectionUser
BigQuery Connection User Beta bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.use
roles/
bigquery.dataEditor
BigQuery Data Editor

When applied to a dataset, dataEditor provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataset
roles/
bigquery.dataOwner
BigQuery Data Owner

When applied to a dataset, dataOwner provides permissions to:

  • Read, update, and delete the dataset.
  • Create, update, get, and delete the dataset's tables.

When applied at the project or organization level, this role can also create new datasets.

bigquery.datasets.*
bigquery.models.*
bigquery.routines.*
bigquery.tables.*
resourcemanager.projects.get
resourcemanager.projects.list
Dataset
roles/
bigquery.dataViewer
BigQuery Data Viewer

When applied to a dataset, dataViewer provides permissions to:

  • Read the dataset's metadata and to list tables in the dataset.
  • Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
Dataset
roles/
bigquery.jobUser
BigQuery Job User Provides permissions to run jobs, including queries, within the project. The jobUser role can enumerate their own jobs and cancel their own jobs. bigquery.jobs.create
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
bigquery.metadataViewer
BigQuery Metadata Viewer

When applied at the project or organization level, metadataViewer provides permissions to:

  • List all datasets and read metadata for all datasets in the project.
  • List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.get
bigquery.tables.list
resourcemanager.projects.get
resourcemanager.projects.list
Project
roles/
bigquery.readSessionUser
BigQuery Read Session User Beta Access to create and use read sessions bigquery.readsessions.*
resourcemanager.projects.get
resourcemanager.projects.list
roles/
bigquery.user
BigQuery User Provides permissions to run jobs, including queries, within the project. The user role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the bigquery.dataOwner role for these new datasets. bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
Project

BigQuery primitive roles

For information on BigQuery primitive roles, see BigQuery primitive roles and permissions.

BigQuery custom roles

To create a custom Cloud IAM role for BigQuery, follow the steps outlined in the Cloud IAM custom roles documentation.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Need help? Visit our support page.